Device-independent security of quantum cryptography against collective attacks 
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We present the optimal collective attack on a Quantum Key Distribution (QKD) protocol in the 
"device-independent" security scenario, where no assumptions are made about the way the QKD 
devices work or on what quantum system they operate. Our main result is a tight bound on the 
Holevo information between one of the authorized parties and the eavesdropper, as a function of 
the amount of violation of a Bell-type inequality. 



Quantum Key Distribution (QKD) allows two parties, 
Alice and Bob, to generate a secret key in the presence of 
an eavesdropper, Eve. The secret key can then be used 
for different tasks, for instance encryption of a message. 
In 1984, Bennett and Brassard invented the first QKD 
protocol, known as BB84 l]. A few years later, Ekert in- 
dependently rediscovered that quantum correlations can 
be used to distribute secrecy [2|. Since then, research 
on quantum cryptography has witnessed enormous ad- 
vances, both theoretical and experimental 

Existing QKD schemes rely for security on several as- 
sumptions. The basic one is that any eavesdropper, how- 
ever powerful, must obey the laws of quantum physics. In 
addition to it, there are two other requirements, without 
which no shared secret key can be established. The first 
one is the freedom and secrecy of measurement settings: 
on each particle, both Alice and Bob should be allowed 
to choose freely among at least two measurement settings 
(e.g., the two bases of BB84) and this choice should not 
be known to Eve, at least as long as she can act on the in- 
coming quantum states (in BB84, the bases are revealed, 
but only after the measurements are performed). The 
second requirement, even more obvious, is the secrecy of 
outcomes: at no stage there should be a leakage of in- 
formation about the final key. These two requirements 
can be summarized by saying that no unwanted classical 
information must leak out of Alice's and Bob's labora- 
tories. If an implementation has a default in this point 
(e.g., if a Trojan Horse attack is possible, or if Eve can 
access Bob's computer), no security can be guaranteed. 

In addition to these essential requirements, existing se- 
curity proofs 0,(1, @| assume that Alice and Bob have (al- 
most) perfect control of the state preparation and of the 
measurement devices. This assumption is often critical: 
for instance, the security of the BB84 protocol is entirely 
compromised if Alice and Bob, instead of sharing qubits 
as usually assumed, share 4-dimensional systems @, Q . 

At first sight, control of the apparatuses seems to be 
an inescapable requirement. Remarkably, this is not the 
case: we present here a device- independent security proof 
against collective attacks by a quantum Eve for the pro- 
tocol described in Ref. Our proof holds under no 



other requirements than the essential ones listed above. 
It is therefore "device-independent" in the sense that it 
needs no knowledge of the way the QKD devices work, 
provided quantum physics is correct and provided Alice 
and Bob do not allow any unwanted signal to escape from 
their laboratories. 

In a collective attack, Eve applies the same attack on 
each particle of Alice and Bob, but no other limitations 
are imposed to her. In particular she can keep her sys- 
tems in a quantum memory and perform a (coherent) 
measurement on them at any time. Collective attacks 
are very meaningful in QKD because a bound on the key 
rate for these attacks becomes automatically a bound for 
the most general attacks if a de Finetti theorem can be 
applied, as is the case in the usual security scenario [Io| . 

The physical basis for our device-independent security 
proof is the fact that measurements on entangled par- 
ticles can provide Alice and Bob with non-local corre- 
lations, i.e., correlations that cannot be reproduced by 
shared randomness (local variables), as detected by the 
violation of Bell- type inequalities. Considered in the per- 
spective of QKD, the fact that Alice's and Bob's symbols 
are correlated in a non-local way, whatever be the under- 
lying physical details of the apparatuses that produced 
those symbols, implies that Eve cannot have full infor- 
mation about them, otherwise her own symbol would be 
a local variable able to reproduce the correlations. 



This intuition has been around for some time 
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121] . Quantitative progress has been possible however 



only recently, thanks to the pioneering work of Barrett, 
Hardy and Kent [3] and to further extensions 0, @, EH • 
For conceptual interest and mathematical simplicity, all 
these works studied security against a supra-quantum 
Eve, who could perform any operation compatible with 
the no-signalling principle. The proof of Ref. Jl3| ap- 
plies only to the zero-error case; those in Refs [7|, |9j al- 
low for errors but restrict Eve to perform individual at- 
tacks; Masanes and Winter 14| proved non-universally- 
composable security under the assumption that Eve's at- 
tack is arbitrary but is not correlated with the classical 
post-processing of the raw key. In this paper, we focus on 
the more realistic situation in which Eve is constrained 
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by quantum physics, and prove universally-composable 
security against collective attacks. 

The protocol. The protocol that we study is a modifi- 
cation of the Ekert 1992 protocol Q proposed in Ref. Q. 
Alice and Bob share a quantum channel consisting of 
a source that emits pairs of entangled particles. On 
each of her particles Alice chooses between three possi- 
ble measurements Ao, A\ and A 2 , and Bob between two 
possible measurements B\ and B 2 . All measurements 
have binary outcomes labelled by ai, bj G {+1,-1} (note 
however that the quantum systems may be of dimen- 
sion larger than 2). The raw key is extracted from the 
pair {Aq,Bi}. In particular, the quantum bit error rate 
(QBER) is Q = prob(ao ^b\). As mentioned in the in- 
troduction, Eve's information is bounded by evaluating 
Bell- type inequalities, since these are the only entangle- 
ment witnesses which are independent of the details of 
the system. In our case, Alice and Bob use the measure- 
ments A\, A2, Bx, and B 2 on a subset of their particles to 
compute the Clauser-Horne-Shimony-Holt (CHSH) poly- 
nomial [l5| 

S = (axbx) + (axb 2 ) + (a 2 bx) - (a 2 b 2 ) , (1) 

which defines the CHSH inequality S < 2. We note that 
there is no a priori relation between the value of S and 
the value of Q: these are the two parameters which are 
available to estimate Eve's information. Without loss of 
generality, we suppose that the marginals are random for 
each measurement, i.e., (a*) = (bj) = for all i and j. 
Were this not the case, Alice and Bob could achieve it 
a posteriori through public one-way communication by 
agreeing on flipping a chosen half of their bits. This 
operation would not change the value of Q and S and 
would be known to Eve. 

Eavesdropping. In the device-independent scenario, 
Eve is assumed not only to control the source (as in usual 
entanglement-based QKD), but also to have fabricated 
Alice's and Bob's measuring devices. The only data avail- 
able to Alice and Bob to bound Eve's knowledge are the 
observed relation between the measurement settings and 
outcomes, without any assumption on how the measure- 
ments are actually carried out or on what system they 
operate. In complete generality, we may describe this 
situation as follows. Alice, Bob, and Eve share a state 
\^)abe mWf"(8)W|™®Ws, where n is the number of bits 
of the raw key. The dimension d of Alice and Bob Hilbert 
spaces Ha = Hb = C d is unknown to them and fixed by 
Eve. The measurement Mk yielding the fc th outcome of 
Alice is defined on the k th subspace of Alice and chosen 
by Eve. This measurement depends on the k th setting 
Aj k chosen by Alice, but possibly also on all previous 
settings and outcomes: Mk = M(Aj h ,Ak-x^k-x) where 
Ak-x = (A h ,...,A jk _ 1 ) and a fe _i = [a n , . . . , a ih _ t ). 
The situation is similar for Bob. 

Collective attacks. In this paper, we focus on collective 
attacks where Eve applies the same attack to each sys- 



tem of Alice and Bob. Specifically, we assume that the 
total state shared by the three parties has the product 
form \^abe) — ^abe)® 71 and that the measurements 
are a function of the current setting only, e.g., for Alice 
Mk = M(Aj k ). (From now on, we thus simply write the 
measurement M(Aj) as Aj). 

For collective attacks, the secret key rate r under one- 
way classical postprocessing from Bob to Alice is lower- 
bounded by the Devetak- Winter rate flil ]. 

r > r DW = I(A : Bx) - X (Bx ■ E) , (2) 

which is the difference bewteen the mutual information 
between Alice and Bob, I(Aq : Bx) = 1 — h(Q) (h is the 
binary entropy), and the Holevo quantity between Eve 
and Bob, X (Bx : E) = S(p E ) - § E bl =±x S(p E \ bl )- Note 
that the rate is given by © because x(Ao ■ E) > x(-Bi : 
E) holds for our protocol [9. \vl\; it is therefore advanta- 
geous for Alice and Bob to do the classical postprocessing 
with public communication from Bob to Alice. 

Upper-bound on the Holevo quantity. To find Eve's 
optimal collective attack, we must find the largest value 
of x{Ex '■ E) compatible with the observed parameters 
without assuming anything about the physical systems 
and the measurements that are performed. Our main 
result is the following. 

Theorem. Let \iPabe) be a quantum state and 
{Ax, A 2 , Bx, B 2 } a set of measurements yielding a vio- 
lation S of the CHSH inequality. Then after Alice and 
Bob have symmetrized their marginals, 

x(Bi;£) < ft (i±«ZT). (3) 

Before presenting the proof of this bound, we give an 
explicit attack which saturates it; this example clarifies 
why the bound J3]) is independent of Q. Eve sends to 
Alice and Bob the two-qubit Bell-diagonal state 

P ab{S) = P $+ + P $ _ , (4) 

where P$± are the projectors on the Bell states |<J> ) = 
(|00) ± \11))V2 and C = y/WIW - l - she defines the 
measurements to be Bx — o z , B 2 = a x and Axp. — 
-j=^a z ± -j==^g x . Any value of Q can be obtained 
by choosing A$ to be a z with probability 1 — 2Q and to 
be a randomly chosen bit with probability 2Q. This at- 
tack is impossible within the usual assumptions because 
here not only the state pab, but also the measurements 
taking place in Alice's apparatus depend explicitly on 
the observed values of S and Q. The state ^ has a nice 
interpretation: it is the two-qubit state which gives the 
highest violation S of the CHSH inequality for a given 
value of the entanglement, measured by the concurrence 

C [H. 

We now present the pro of of the Theorem stated above, 
in four steps; see Ref. [l7| for more details. 
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Proof, Step 1. It is not restrictive to suppose that Eve 
sends to Alice and Bob a mixture pab = J2 c PcPab °f 
two-qubit states, together with a classical ancilla (known 
to her) that carries the value c and determines which 
measurements A\ and Bj are to be used on p c AB - 

The proof of this first statement relies critically on the 
simplicity of the CHSH inequality (two binary settings 
on each side). We present the argument for Alice, the 
same holds for Bob. First, we may assume that the two 
measurements of Alice are von Neumann measure- 
ments, if necessary by including ancillas in the state pab 
shared by Alice and Bob. Thus A\ and A2 are hermitian 
operators on C d with eigenvalues ±1. It follows from 
this that A1A2 is a unitary, hence diagonalizable, oper- 
ator. In the basis of C d formed by the eigenvectors of 
A1A2, one can show that A\ and A2 are block-diagonal, 
with blocks of size 1 
words, Ai 
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x 1 or 2 x 2 
— ^2 c P c AjP c where the P c s are projectors 
of rank 1 or 2. From Alice's standpoint, the measure- 
ment of Ai thus amounts at projecting in one of the (at 
most) two-dimensional subspaces defined by the projec- 
tors P c , followed by a measurement of the reduced ob- 
servable P c AiP c = a 1 ■ a. Clearly, it cannot be worse for 
Eve to perform the projection herself before sending the 
state to Alice and learn the value of c. The same holds 
for Bob. We conclude that in each run of the experiment 
Alice and Bob receive a two-qubit state. The deviation 
from usual proofs lies in the fact that the measurements 
to be applied can depend explicitly on the state. 

Proof, Step 2. Each state p c AB can be taken to be a 
Bell-diagonal state and the measurements Al and B? to 
be measurements in the (x, z) plane. 

To reduce the problem further in this way, we use some 
freedom in the labeling together with two applications 
of a usual argument. For fixed c (we now omit the in- 
dex c), let us first choose the axis of the Bloch sphere 
on Alice's side in such a way that a± and 0,2 define the 
(x, z) plane, and similarly on Bob's side. Eve is a priori 
distributing any two-qubit state p of which she holds a 
purification. Now, recall that we have supposed, without 
loss of generality, that all the marginals are uniformly 
random. Here comes an argument which is typical of 
QKD [f| : knowing that Alice and Bob are going to sym- 
metrize their marginals, Eve does not lose anything in 
providing them a state with the suitable symmetry. The 
reason is as follows. First note that since the (classi- 
cal) randomization protocol that ensures (a,) = (bj) = 
is done by Alice and Bob through public communica- 
tion, we can as well assume that it is Eve who does it, 
i.e., she flips the value of each outcome bit with prob- 
ability one half. But because the measurements of Al- 
ice and Bob are in the (x, z) plane, we can equivalently, 
i.e., without changing Eve's information, view the clas- 
sical flipping of the outcomes as the quantum operation 
p — > p — (a y ® a y )p(o- y ® <jy) on the state p. We con- 
clude that it is not restrictive to assume that Eve is in 



fact sending the mixture p — | (p + p), i.e., that she is 
sending a state invariant under o~ y ® o~ y . Now, through 
an appropriate choice of basis that leaves invariant the 
(x, z) plane, and corresponding to the freedom to define 
the orientation of y and the direction of x for both Al- 
ice and Bob (see 17] for the explicit transformations), 



every o~ y (g> a y invariant two-qubit state can be written 



in the Bell basis, ordered as {| < i )+ ), 
the canonical form 
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/ A*+ 
—iri 

V 



if 1 



A$- ir 2 
—ir2 J 



(5) 



with A$+ > A^-, A $ + > A$- > A^+ and n, r 2 real. 

Finally, we repeat an argument similar to the one given 
above: since p and its conjugate p* produce the same 
statistics for Alice and Bob's measurements and provide 
Eve with the same information, we can suppose without 
loss of generality that Alice and Bob rather receive the 
mixture | (p + p *) , which is Bell-diagonal. 

Proof, Step 3. For a Bell-diagonal state p\ with eigen- 
values A ordered as above and for measurements in the 
(x, z) plane, 



X\(Bi : E) < F(S X ) = h 



1 + - 1 



(6) 



where 5a = 2\/2\/ (A$+ — A^- ) 2 + (A$- — A*+ ) 2 is the 
largest violation of the CHSH inequality by the state p\. 

This step is mainly computational; we sketch it here 
and refer to [ijj for details. For Bell-diagonal states, 
for any choice of B\ = cos (po~ z + sin ipa x , one has 
SiPEib^o) = S(p E \b 1= i) > h(A$+ + A$-) with equality 
if and only if Bi = a z . It follows that 



X\(B! : E) < H(\) - h(\*+ + \*-) 



(7) 



The right hand side of this expression is in turn bounded 
by the function F(S\) appearing in ©. It now suffices to 
notice that S\ = 2%/2\/ (A$+ — A^,- ) 2 + (A$- — A^,+ ) 2 is 
the maximal violation of the CHSH inequality by the 
is achieved for 



state p\ 
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it 



Bi = a z , B 2 = cr x 



and Ai and A2 depending explicitly on the A's. 

Proof, Step 4- To conclude the proof, note that if 
Eve sends a mixture of Bell-diagonal states ^~J A p\ p\ and 
chooses the measurements to be in the (x, z) plane, then 
X (Bi : E) = ExPxX\{Bi : E). Using ©, we then find 
xOBi : E) < EaPaF(Sa) < F (ExPxS x ), where the 
last inequality holds because F is concave. But since the 
observed violation S of CHSH is necessarily such that 
iS < J2\P^S>- an d since F is a monotonically decreasing 
function, we find x(Si : E) < F(S). 

Key rate. Given the bound (J3j> , the key rate ([2|) can be 
computed for any values of Q and S. As an illustration, 
we study correlations satisfying S = 2\/2(l — 2Q), and 
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FIG. 1: Extractable secret-key rate against collective attacks 
in the usual scenario [x{Bi : E) given by eq. ([8)l] and in the 
device-independent scenario [x(E>i : E) given by eq. @], for 
correlations satisfying 5 = 2\/2(l — 2Q). 



which arise from the state |<£> + ) after going through a de- 
polarizing channel, or through a phase-covariant doner, 
or more generally from any Bell-diagonal pab such that 
A$+ > A^,- and A $ - = A^+, when doing the measure- 
ments A = B x = cr 2 , B 2 = <t x , A x = (a z + a x )/y/2 
and A2 — (a z — o~ x )/\/2. We consider these correla- 
tions because of their experimental significance, but it 
is important to stress that Alice and Bob do not need 
to assume that they perform the above qubit measure- 
ments. The corresponding key rate is plotted in Fig. [1] 
as a function of Q. For the sake of comparison, we have 
also plotted the key rate under the usual assumptions 
of QKD for the same set of correlations. In this case, 
Alice and Bob have a perfect control of their appara- 
tuses, which we have assumed to faithfully perform the 
qubit measurements given above. The protocol is then 
equivalent to Ekert's, which in turn is equivalent to the 
entanglement-based version of BB84: Eve's information 
on the key is determined by the "phase error" which 
can be computed for our protocol using the formalism of 
Ref. One finds e p = 1 — Q — S/2\/2, whence 



X {B 1 :E)<h(Q + S/2V2 



(8) 



If e p = Q, i.e., S — 2y2(l — 2Q), this expression yields 
the well-known critical QBER of 11% [4J, to be com- 
pared to 7.1% in the device- independent scenario (Fig. [I]). 
(Note that the key rate given by eq. ((3]) is much higher 
than the one against a no-signalling eavesdropper ob- 
tained by applying the security proof of [14j.) 

Final remarks. Through its remarkable generality, our 
device-independent security proof allows us to ignore the 
detailed implementation of the QKD protocol and there- 
fore applies in a simple way to situations where the quan- 
tum apparatuses are noisy or where uncontrolled side 



channels are present. It also applies to the situation 
where the apparatuses are entirely untrusted and pro- 
vided by the eavesdropper herself. In this latter case, 
the proof cannot be applied to any existing device yet, 
because of the detection loophole which arises due to inef- 
ficient detectors and photon absorption. These processes 
imply that sometimes Alice's and Bob's detectors will not 
fire. A possible strategy to apply our proof to this new 
situation is for Alice and Bob to replace the absence of 
a click by a chosen outcome, in effect replacing detection 
inefficiency by noise. However the amount of detection 
inefficiency that can be tolerated in this way is much 
lower than the one present in current quantum commu- 
nication experiments. In Bell tests, this problem is often 
circumvented by invoking additional assumptions such as 
the fair sampling hypothesis — a very reasonable one if 
the aim is to constrain possible models of Nature, but 
hardly justified if the device is provided by an untrusted 
Eve. In the light of the present work, the "detection loop- 
hole" thus becomes a meaningful issue in applied physics. 

In conclusion, we have found the optimal collective at- 
tack on a QKD protocol in the device-independent sce- 
nario, in which no other assumptions arc made than the 
validity of quantum physics and the absence of any leak- 
age of classical information from Alice's and Bob's lab- 
oratories. If a suitable de Finetti-like theorem can be 
demonstrated in this scenario, the bound that we have 
presented here will in fact be the bound against the most 
general attacks. 

Acknowledgements. We are grateful to C. Branciard, 
I. Cirac, A. Ekert, A. Kent, R. Renner and C. Simon 
for fruitful discussions. We acknowledge financial sup- 
port from the Swiss NCCR "Quantum Photonics", the 
EU Qubit Applications Project (QAP) Contract number 
015848, the Spanish projects FIS2004-05639-C02-02 and 
Consolider QOIT, the Spanish MEC for a "Juan de la 
Cierva" grant, and the IAP project Photonics@be of the 
Belgian Science Policy. 



[1] 



[2] 

[3] 



[5] 



[6] 
[7] 



C. H. Bennett, G. Brassard, in Proceedings IEEE Int. 
Conf. on Computers, Systems and Signal Processing, 
Bangalore, India (IEEE, New York, 1984), pp. 175-179. 

A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991). 

N. Gisin et al, Rev. Mod. Phys 74, 145 (2002); M. 
Dusek, N. Liitkenhaus, M. Hendrych, in Progress in Op- 
tics edited by E. Wolf (Elsevier, New York, 2006), Vol. 
49, p. 381. 

P. W. Shor, J. Preskill, Phys. Rev. Lett. 85, 441 (2000). 

B. Kraus, N. Gisin, R. Renner, Phys. Rev. Lett. 95, 
080501 (2005); R. Renner, N. Gisin, B. Kraus, Phys. Rev. 
A 72, 012332 (2005). 

M. Koashi, J. Preskill, Phys. Rev. Lett. 90, 057902 
(2003); D. Gottesman, H.-K. Lo, N. Liitkenhaus, J. 
Preskill, Quant. Inf. Comput. 5, 325 (2004). 
A. Acfn, N. Gisin, L. Masanes, Phys. Rev. Lett. 97, 



5 



120405 (2006) ; V. Scarani et al., Phys. Rev. A 74, 042339 
(2006). 



[8] F. Magniez et al, |quant-ph /0512111 , Appendix A 
[9] A. Acm, S. Massar, S. Pironio, New J. Phys. 8, 126 
(2006). 

[10] R. Renner, Security of Quantum Key Distribution, PhD 

thesis, quant-ph/0512258 
[11] C. H. Bennett, G. Brassard, N. D. Mermin, Phys. Rev. 

Lett. 68, 557 (1992). 
[12] D. Mayers, A. Yao, Quant. Inf. Comput 4, 273 (2004). 
[13] J. Barrett, L. Hardy, A. Kent, Phys. Rev. Lett. 95, 

010503 (2005). 



[14] L. Masanes, A. Winter, quant-ph/0606049] 

[15] J.F. Clauser, M.A. Home, A. Shimony, R.A. Holt, Phys. 

Rev. Lett. 23, 880 (1969). 
[16] I. Devetak, A. Winter, Proc. R. Soc. Lond. A 461, 207 

(2005). 

[17] A. Acm et al, in preparation. 

[18] F. Verstraete, M.M. Wolf, Phys. Rev. Lett. 89, 170401 
(2002). 

[19] L. Masanes, Phys. Rev. Lett. 97, 050503 (2006). 
[20] R. Horodecki, P. Horodecki, M. Horodecki, Phys. Lett. A 
200, 340 (1995). 



